Keeping customer data safe and secure is our top priority. If you’ve discovered a security vulnerability, please do not share it publicly. Instead, report it to us using our security response form.
Rules for you
- Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
- Do not access or modify, or attempt to access or modify, data that does not belong to you.
- Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
- Do not run any automated tools against our servers without prior coordination.
- Do not try to abuse our servers’ resources, including but not limited to sending unsolicited or unauthorized email.
- Do not publicly share the issue details until we confirm that it’s fixed.
- Do not attempt to blackmail us, or try to sell us your security report.
- When in doubt, contact us at firstname.lastname@example.org.
Rules for us
- We will not pursue any legal action against you, if you obey the rules above.
- We will reply to all correctly submitted reports, and we will work with you on fixing the issue.
- We will perform our own risk assessment for every reported vulnerability.
- If your report is not eligible, we will let you know the reason why.
- We will let you decide whether you want to be publicly acknowledged for your report.
Hall of Fame
For eligible reports, we can acknowledge your work by putting your name and (optionally) a link to your personal page on the list of security contributors below.
- We do not offer cash compensation for security reports.
- For some eligible reports that we identify as particularly important, we may reward you with our branded stickers or a t-shirt. If you’d like to receive something from us, please put your mailing address in the security response form, or share it later when we confirm the eligibility of your report.
What does not qualify?
- Vulnerabilities to timing and DOS attacks (remember, you’re not allowed to test these).
- Vulnerabilities that have been previously reported by another user.
- Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
- Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections).
- Bugs or functionality that proves that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
- Vulnerabilities that we determine to be an accepted risk, including but not limited to:
- Ability to sign up and use our services without confirming an email address.
- Lack of CAPTCHAs on the forms.
- Lack of use of hardfail (
-all) on SPF records.
- Lack of a
rejectrecord in DMARC.
Thanks for your support!
We’re grateful to the following people who have helped us improve the security of Postmark:
- Jose Pino @Fr4phc0r3
- Manish Bhattacharya @umenmactech
- Sasi Levi @sasi2103
- Ravindra Singh Rathore @ravindra_hacks
- Devesh Bhatt
- Tejash Patel @tejash1991
- Ishan Anand zero-access
- Nitesh Shilpkar @NiteshShilpkar
- Kamil Sevi @kamilsevi
- Simon Bräuer @redshark1802
- Jack Suter
- Ch. Muhammad Osama @ChMuhammadOsama
- Shahmeer Amir @maadssecurity
- Nadi Abdellah Fatality04
- Anil R. Vaghasiya Facebook, Twitter
- Nithish M. Varghese Facebook
- Milan A. Solanki @MilanSolanki19
- Sandeep Sudhagani Facebook
- Arbin Godar Twitter
- Ali Wamim Khan Facebook
- Sumit Sahoo Facebook
- Maulik Vaidh Twitter
- Vikash Chaudhary Twitter
- Pranav Digambar Jagtap Twitter
- Karl Aparece Hackerone
- Abdul Haq Khokhar Twitter
- Vishal Jain LinkedIn
- Nikhil Sahoo and Ipsita Subhadarshan Sahoo Twitter
- Ravela Pramod Kumar Twitter
- Mohammed Israil Twitter
- Hamit Cibo Twitter
- Vrisha Karna Twitter
- Takshal Patel @Takshal3
- Ronak Nahar @naharronak
- Armanul Miraz @miraz1194
- Foysal Ahmed Fahim @foysal1197